HARDWARE-LOGIC BASED FLOW COLLECTOR FOR DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK MITIGATION

US 20160308901A1
Filed: 02/28/2016
Published: 10/20/2016
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving from one or more routers within a protected network, by a distributed denial of service (DDoS) attack detection module coupled with a flow controller via a host interface, flow statistics packets;

parsing, by the DDoS attack detection module, the flow statistics packets at layer 2 and validating Ethernet frames;

parsing, by the DDoS attack detection module, the flow statistics packets at layer 3 and validating Internet Protocol (IP) version 4 (IPv4) and IP version 6 (IPv6) packets;

parsing, by the DDoS attack detection module, the flow statistics packets at layer 4 and validating Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets;

parsing, by the DDoS attack detection module, the flow statistics packets at layer 7 and validating protocol data units associated with one or more flow statistics protocols;

deriving, by the DDoS attack detection module, relevant fields from layer 3, layer 4 and layer 7 and calculating based thereon layer 3 granular rates, layer 4 granular rates and layer 7 granular rates, respectively;

determining, by the DDoS attack detection module, a DDoS attack status of at least one monitored destination coupled to or within the protected network based on observed rate anomalies by comparing the derived layer 3 granular rates, the derived layer 4 granular rates, the layer 7 granular rates with corresponding rate thresholds;

responsive to determining the at least one monitored destination is under attack, interrupting the flow controller, by the DDoS attack detection module, via the host interface; and

causing traffic destined for the at least one monitored destination to be diverted by a route reflector within the protected network to a DDoS attack mitigation appliance within the protected network by responsive to the interrupt, informing, by the flow controller, the route reflector regarding the determined DDoS attack status.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination. When a DDoS attack is detected the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.

15 Citations

View as Search Results

5 Claims

1. A method comprising:
- receiving from one or more routers within a protected network, by a distributed denial of service (DDoS) attack detection module coupled with a flow controller via a host interface, flow statistics packets;
  
  parsing, by the DDoS attack detection module, the flow statistics packets at layer 2 and validating Ethernet frames;
  
  parsing, by the DDoS attack detection module, the flow statistics packets at layer 3 and validating Internet Protocol (IP) version 4 (IPv4) and IP version 6 (IPv6) packets;
  
  parsing, by the DDoS attack detection module, the flow statistics packets at layer 4 and validating Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets;
  
  parsing, by the DDoS attack detection module, the flow statistics packets at layer 7 and validating protocol data units associated with one or more flow statistics protocols;
  
  deriving, by the DDoS attack detection module, relevant fields from layer 3, layer 4 and layer 7 and calculating based thereon layer 3 granular rates, layer 4 granular rates and layer 7 granular rates, respectively;
  
  determining, by the DDoS attack detection module, a DDoS attack status of at least one monitored destination coupled to or within the protected network based on observed rate anomalies by comparing the derived layer 3 granular rates, the derived layer 4 granular rates, the layer 7 granular rates with corresponding rate thresholds;
  
  responsive to determining the at least one monitored destination is under attack, interrupting the flow controller, by the DDoS attack detection module, via the host interface; and
  
  causing traffic destined for the at least one monitored destination to be diverted by a route reflector within the protected network to a DDoS attack mitigation appliance within the protected network by responsive to the interrupt, informing, by the flow controller, the route reflector regarding the determined DDoS attack status.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving, by the flow controller, user policies including network and IP addresses to be monitored;
      
      configuring, by the flow collector, the DDoS attack detection module to monitor for DDoS attacks on the received network and IP addresses;
      
      reading from the DDoS attack detection module, by the flow controller, the derived layer 3 layer 3 granular rates, the derived layer 4 granular rates and the layer 7 granular rates;
      
      calculating, by the flow controller, the corresponding rate thresholds; and
      
      writing, by the flow controller, the corresponding rate thresholds to the DDoS attack detection module.
  - 3. The method of claim 2, further comprising:
    - receiving from the flow controller the corresponding rate thresholds, by the host interface, via host commands; and
      
      raising an interrupt, by the host interface, that is serviced by the flow controller when one or more of the corresponding rate thresholds are exceeded or when traffic returns to normal.
  - 4. The method of claim 1, further comprising classifying, by the DDoS attack detection module, the flow statistics packets and retrieving one or more of layer 2, layer 3, layer 4 and layer 7 header information from the flow statistics packets.
  - 5. The method of claim 1, wherein the protected network comprises a service provider network and the method further comprises ceasing diversion of the traffic and allowing the traffic destined for the at least one monitored destination to flow via a core router of the service provider network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar

Granted Patent

US 9,935,974 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/164   at the network layer

HARDWARE-LOGIC BASED FLOW COLLECTOR FOR DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK MITIGATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

HARDWARE-LOGIC BASED FLOW COLLECTOR FOR DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK MITIGATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links